Wednesday, 27 February 2013

If the Daily Mail is to believed (and I appreciate that’s a
big “if”), then today I have come across another piece of evidence which
indicates that European policy makers may well be incapable of agreeing on the
meaning of some of the most important concepts of data protection law, like
fairness and consent.

This blog is not designed to criticise the policy makers themselves
– more it’s to point out that various communities within Europe have very
different social and cultural expectations as to what is considered appropriate
behaviour. And I’m all for local communities being able to respect their own
cultural sensitivities.

The evidence
is the report that policy makers in Berlin have recently decided that it is not appropriate
for a German TV company to copy the format of the British TV series “One Born Every Minute”, which follows staff and patients on a busy maternity ward.
Why? Well, evidently, because it was an invasion of privacy for newborn babies.

Given that, in the UK, the
viewers only get to see each baby for a few seconds after their birth, it’s really
hard to appreciate why their fundamental rights can take precedence over the rights
of the nursing staff and the patients, who really are the focal points of the
programme, and who would certainly have signed as many consent forms as any
conscientious broadcaster would have created.

I do hope that this story is
inaccurate. I do hope that the inference – which is that “German data protection rules ” have prevented potentially great TV programmes being made in Germany, is incorrect.

And I am so glad that the bods at
the Information Commissioner's Officce are evidently happy that the British version of “One Born Every Minute” doesn’t breach any sensible UK data protection
rules.

If the German viewers aren't allowed to see their own stories, hopefully they can pick up the British version, so that they can enjoy what they have been forbidden to create themselves.

Sunday, 24 February 2013

The Dutch MEP SophieIn
't Veld has high hopes for the forthcoming General Data Protection Regulation
(or whatever it will end up being called).

Apparently, new rules can force
companies into innovating, and could give the EU a competitive advantage. I’m
not sure over whom, but I suspect that what is meant behind the claim is that
those data hungry non EU -based organisations (mentioning no names, of course) would
find their services less compelling if only EU the EU organisations got their
regulatory acts together.

Well, if that happens,
then I’m all in favour of the new rules.

But is it likely to
happen?

How much additional red
tape usually results in a company obtaining a competitive advantage?

Answers, please, on
a postcard, to the usual address.

And make the
handwriting legible this time. Too much time at the keyboard kills those
essential handwriting skills.

Wednesday, 20 February 2013

Glancing at a recent news report, I see that,
coincidentally, some European Parliamentary Committees are voting on a wide
range of amendments to the proposed General Data Protection Regulation at almost
the same time that various European regulators are threatening (again) to take
action against Google for apparently behaving in an awful manner.

Presumably, these events are not linked.

Presumably, there is no attempt on the part of certain
regulators to keep stories about awful overseas-based data controllers in the minds
of the public (and their MEPs) at the very time that some MEPs are supposed to
be wading through documents stuffed with impenetrable data protection amendments.

If the rules were changed to allow European parliamentarians
only to take part in votes on amendments and issues that they understood, I
expect that the number of politicians eligible to take part in votes on the
Regulation would drop quite substantially.

As it is, I’m sure that lots of amendments will be waved
through by people who may not fully appreciate the financialimplications of
what they are doing.

But never mind.

Perhaps when the Member States have had their say on what
the instrument should look like, the text will have radically changed again.

Monday, 18 February 2013

At 82 pages in length, some people will be grateful that the
ICO has just decided to publish in full its views on the proposed General Data Protection
Regulation. Many more people will hope that someone else will read it for them, and produce
a note summarising the highlights.

(Top tip – if you can’t stomach all 82 pages, there are a 2
pages of similar stuff elsewhere on the ICO’s website.)

Well, this blog is not a note about any of the highlights.

But it does cast some light into the debate about two of the
controversial areas – one of which I suspect that many Data Protection Officers
will not have been unduly concerned about. However, the issue still deserves
careful thought by Member States. It concerns the structure of the European
Data Protection Board. This is evidently what enough members of the Article 29
Working Party are planning to call themselves, although I’ve recently heard that not
all members of the Article 29 Working Party could agree on a new name for that
august body.

Anyway, the issue concerns theEuropean Data Protection Supervisor, and
the role that person has to play in future. As we all know, the EDPS
is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice
in the EU institutions and bodies. He does so by monitoring the EU
administration's processing of personal data; advising on policies and
legislation that affect privacy; and cooperating with similar authorities to
ensure consistent data protection.

And, as we
all know, Article
2.2(b) of the proposed Regulation does not apply to the processing of personal
data by the Union institutions, bodies, offices and agencies;.

So why
should the proposed European Data Protection Board have to include someone who is not tasked
with regulating any relevant institutions? The concept is hard for some people to accept.

But, it gets
better.

Article 69 of the Regulation provides that: “The European Data Protection Board
shall elect a chair and two deputy chairpersons from amongst its members. One
deputy chairperson shall be the European Data Protection Supervisor, unless he
or she has been elected chair.”

The ICO has
commented: “We are not clear how this can provide for an election if one of the
deputy chairpersons has to be the EDPS.”

I commend
the ICO for its restraint. Others may well protest at the absurdity of a
situation where a democratic election may need to be “fixed” to guarantee the
election of a regulator who is responsible for institutions that are exempted
from the regulation he is supposed to be supervising.

If this is
European democracy in action, then I’m a banana.

In the UK, rotten
boroughs in Parliamentary elections were abolished in the 19th
Century. The most notorious borough was Old Sarum in Wiltshire. At one
election, the electorate comprised 3 houses and just 7 voters, yet they had the
responsibility of electing 2 Members of Parliament. It would be deeply ironic
if the Regulation were to effectively propose their reintroduction.

The second
controversial area I want to highlight in this blog are the ICO’s very wise
comments on Article 63, which provides that: “For the purposes of this Regulation,
an enforceable measure of the supervisory authority of one Member State shall
be enforced in all Member States concerned.”

In a
masterpiece of understatement, the ICO has suggested that: “We need to think
through the implications of this degree of harmonisation. It could lead to the
prohibition of a processing operation which is acceptable to the citizens of
the UK – or – on the other hand – to unacceptable processing being legitimised
on the basis of a simple majority vote.”

Just wait
until those gentle folk in UKIP get to hear about this one. Other commentators
might have preferred to shout “Keep your towels off our lawns.” We Brits don’t
mind harmonisation when it makes sense, but we do bristle when we are required
to adopt practices that go against the grain of our culture and national
identity.

Thursday, 14 February 2013

I understand that the European Ombudsman has just launched a formal investigation
into allegations that the European Commission is failing to clamp down on
conflicts of interest amongst staff who leave the EU executive to take up jobs
as lobbyists and consultants.

An
original complaint was filed to the Ombudsman in October last year by NGOs
Corporate Europe Observatory, Greenpeace, Lobbycontrol and Spinwatch, claiming
that the Commission is unwittingly allowing private interests undue influence
in public policymaking.

The
Ombudsman is due to launch a formal investigation, and will seek previously
undisclosed details of all cases in the last three years where Commission staff
have left to take up jobs in the private sector where conflicts may occur.

I
think the Ombudsman needs to tread carefully. These people can be of
considerable value once they have left their previous post, as they can often offer
information which, thanks to a defective communications strategy, was missed even
by those who try to follow relevant developments very closely.

Let’s
hope the investigation isn’t widened so that it includes former members of Data
Protection Authorities too.

I’ve
frequently found their advice and instincts to be extremely astute. They certainly
help a data controller understand the likely concerns that a Commissioner will
have. I say that it would not necessarily help matters if attempts were made to
muzzle them for a fixed period after leaving their former posts.

Monday, 11 February 2013

Who benefits most when utility companies replace existing gas and
electric meters with what is becoming known as "smart meters"? These new meters are the next generation of
meters, which can offer a range of benefits for both the individual electricity
and gas consumer and for the electricity and gas systems in general.

For consumers, I guess the principal issue is whether their
introduction will result in financial savings, by reducing consumption of gas
and electricity.

The answer, at least from a pilot study carried out in Ireland in
2011, is evidently yes. On average, the saving could amount to 2.9%. Naturally,
some people will save more than others. But surprisingly (to me at least),
those who are likely to save the most don’t belong to social classes A and B.

According to the report: “Participants
with the highest and lowest education and social grade education are least
likely to reduce usage. This may reflect motivation (among those with AB social
grade) and communication (among those with lower social grades C2 and DE).
While efforts were made in the communications strategy to be inclusive, the
difference may reflect more fundamental barriers to engagement among those with
lower levels of educational achievement.”

Marketing professionals will be aware that social class A contains
the upper middle classes (higher managerial administrative or professional people), while class B contains the
middle classes (intermediate managerial, administrative or professional
people). Such people only saved some €13.27 during the year-long trial. Less than anyone else.

Their savings were trumped by those from social class C1 (the supervisory
or clerical and junior managerial, administrative or professional staff), who saved
€25.07. They were also
trumped by those in social classes D &E (the casual or lowest grade workers, pensioners and
others who depend on the welfare state for their income) who saved€18.22. And they were even trumped by
the skilled manual workers (the C2 class) who saved €16.42.

So, while I’m expecting that the professional classes will create more
of a fuss about ensuring the data protection aspects of any smart metering
programme fully comply with any regulation that can be thrown at it, those who may
ultimately stand to benefit most from the process will be the plebs, who deserve
an equal opportunity to get fully engaged in the relevant data protection debates.

Sunday, 10 February 2013

Now the cookie rules have been in force for so long that many
of us have moved on to deal with more pressing issues, I’ve been asking myself
what the fuss was really all about.

There have been benefits. New careers have been forged in
the compliance industry, and webmasters are (probably) more aware of what “their”
websites do than before. Compliance
professionals have developed a new vocabulary of terms which have been posted
on the pages of websites that are accessible by those few, yes those happy
few, users who click on the links to learn more about cookies.

The more frequently I click on these links, the more
frequently I smile. I read down long lists of cookies, carefully explained and categorised,
and I think to myself ‘surely I can’t be the only person not to understand much
about this stuff.’ If ever we have found a way of not engaging with users, then
surely this is it.

But then again, I don’t remember any specific campaigns
mounted by the privacy brigade demanding better transparency about cookies at
the time the e-Privacy Directive introduced the new rules, nor do I recall
reading any letters from customers of the companies I used to work for
mentioning that they wanted to have the right to opt out of certain types of
cookies. Yes, people wanted the right to object to personalised advertising, but
I can’t think of a single letter from a customer that ever mentioned cookies.

Moving on to the present, however, and thanks to the way we
lead out current lives, what we have is a situation where, thanks to the efforts
of the privacy lobby and some of the regulators, people are much better
informed about the electronic trails that they leave.

But has this changed user behaviours? Or user preferences?

Have many people taken advantage of their ability to obliterate
some of these electronic trails by objecting to certain types of cookies?

I’m really looking forward to seeing evidence that many
people have.

What I do see are renewed efforts buy the regulators to
encourage greater transparency – particularly in the mobile arena, where the
focus is now shifting to mobile application developers. Yes, these developers
need to become far more transparent about what they do with the data that is hoovered
up. But, I don’t think this will necessarily damage their business models.

The point, after all, is simply to explain what is being
done with the data that is being obtained. In larger organisations, yes this
will be a challenge – a challenge of information accountability. Many more organisations
seem to have an information security officer than they have someone accountable
for the information that actually populates these databases. The challenge, therefore,
is to understand just who is accountable for the information that is being
processed, so that they can be accountable for the cookie explanation.

I don’t think that these explanations, once published, will
necessarily cause users to object to what is being done. So I don’t think they
have much to fear.

The only thing for businesses to fear is not making these
explanations available in the first place.

To my mind, the greatest thing to have emerged from the great
cookie saga has been to highlight the role of effective information governance
in an organisation.

And it’s been highlighted, I think, by pointing out how hard
it is to find it within so many organisations.

Wednesday, 6 February 2013

The Intelligence and Security Committee has published its eagerly
awaited (28 page) report on how the proposals in the Government’s draft Communications Data Bill might affect the
use of communications data by the intelligence and security agencies.

It complements
the more wide-ranging (101 page) report that was published last year by a Joint
Parliamentary Committee that I worked with.

It won’t
come as a surprise to anyone to learn that the conclusions are very similar. Both reports considered that the Bill should be
much more specific about the records that providers should (generally) be required
to retain.

The
ISC, naturally, is keen that people who may be of interest to the agencies are not
given an opportunity to learn precisely where the gaps in capability are. If
targets knew where the gaps were, they might be exploited to evade detection.
Accordingly, the ISC considers that notices to particular providers, requiring
them to retain particular date types, should remain secret.

That
may be highly desirable as far as the agencies are concerned, but in many cases
the records, if they exist, will eventually be produced as evidence in legal proceedings
that relate to criminals who are of no interest to these agencies. How can a capability
by a provider to retain particular records remain a secret for the agencies, but
be public knowledge for other parts of the law enforcement community, the
courts – and also for customers when the exercise their subject access rights
under data protection legislation?

It is
not at all easy, in an internet age, to tinker with the transparency agenda.
Perhaps there is a trade off between short term dips in operational capability
and greater public pressure on a provider (or providers) to start to keep records
that, for commercial, technical or legal reasons, are not currently kept.

I would
expect the Government to adopt an approach that allows a greater, rather than a
lesser, degree of transparency. All citizens expect the State provide a certain
degree of public security, and for that the State needs the tools that are
necessary to enable it to carry out this role. But citizens also want to be
confident that the State is only doing what is necessary and what is
proportionate.

Now
that this report has been published, it shouldn’t be long before we hear
about the Government’s revised plans to ensure that those who have the capability
to inspect our communications remain fully accountable.

Source:

Access To
Communications Data By The Intelligence And Security Agencies, Cm. 8514

Sunday, 3 February 2013

Those who applied to attend the ICO’s conference, to be held
at the Manchester Central Convention Centre next month, ought to have received
their official confirmations by now. If you are among the lucky ones to have
been accepted, then I look forward to seeing you there.

The agenda is packed with an impressive range
of seminars to attend – as well as keynote speeches by the usual suspects, and perhaps a surprise or two.

What will be the
overarching theme of the day? What crumbs of comfort will stressed data
protection officers be getting? Will it all be bad news?

Using the phrase so
cleverly twisted by Graham Smith last
year, when opening the event as the first of “The Smiths” to speak, it wasn’t
his aim for everyone to leave thinking “Heaven knows, I’m miserable now”.

That
joke isn’t funny any more.

Stop me if you think you’ve heard this one before. I’ve set out, in my usual way, what I think
the theme of the conference will be:

The speakers are confirmedIt’s been trending on TwitterIf you’ve got your invitationThen you must be a big hitter

From the many who applied

To the few who were chosenFrom the warmth of an officeTo the conference centre frozen

But we are there, we are ready

We are waiting to cause mayhemTo a storm of applauseThe chairman calls Chris Graham

He tells it as it is

To an audience quite hushedStarting with an annual round upHe does not care to be rushed

Some thoughts from the heart

Into his soul he will reachFor his true opinionsOn the latest data breach

Then a few words of comfort

For those seeking informationAbout who is saying whatOn the draft regulation

Then it comes – the big announcement

Which gets us all in a tizzyFor our special entertainmentWill be some songs by Thin Lizzy

Who cares about The Smiths

Despite their renownAs we all sing the chorus‘The boys are back in town’

Why a Irish group that imploded

Some 21 years ago?What’s the link to the conference?That’s what we wanted to know

That band started in the 70’s

And it surely is a factTheir greatest hits were well before The Data Protection Act

Perhaps the themes of the event

Are relax and don’t get stressedIf you have no bad intentTry your hardest, do your best

And

Do it your way if you mustBut should there be a timeWhen you really come a cropperYou might face a stonking fine

Saturday, 2 February 2013

One of my email accounts has just received a communication from
someone with a Yahoo.Japan email address:

This is Miss. Charlote Siegloff from Trinidad &Tobago. I
am writing fromthe hospital in Cote D'Ivoire,
therefore this mail is very urgent as you can
see that I am dying in thehospital. I
was told by the doctor that I was poisoned and has got myliver damaged and can only live for some months.

I inherited some money ($2.5 Million) from my
late father and I cannotthink of anybody
trying to kill me apart from my step mother in order toinherit the money, she is an Ivorien by nationality.I want you to contact my servant with this
informations below:

He will give you the documents of the money and
will direct you to a wellknown lawyer
that I have appointed to him, the lawyer will assist you tochange the documents of the money to your name to
enable the bank transferthe money to
you. This is the favour I need when you have gotten the money:-

(1) Give 10% of the money to my servant Mathins Henry, as he
has beenthere for me throught my illness and I have promised
to support him inlife. I want you to
take him along with you to your country and esterblishhim as your son.

(2) Give 10% of the money to Charity
Organisations and Churches on my nameso
that my soul may rest in peace.

Note;This should be a code between you and
Mathins in this transactioin"Hospital"
any mail from him, the barrister he will direct you to, withoutthis code "Hospital" is not from the
barrister, Mathins, the bank ormyself as
I don't know what will happen to me in the next few hours.

(3) the lawyer's name is Mc Lambert Adams. And
Let Mathins send you hisNational ID or
his passport to be sure of whom you are dealing with.Mathins is so little therefore guide him. May God
bless you and use you toaccomplish my
wish.

Pray for me always.Thank youMiss. Charlote Siegloff.

Surely, if anyone falls for this stuff, they have no one to
blame but themselves.

Hopefully, by now, our chums at Yahoo! will have received
enough complaints to block both Charlotte’s Japanese email account and the address
that people were invited to contact Mathins on.

Image credit:

The world (as it was known and ruled in 1910) http://www.emersonkent.com/images/world_map_1910.jpg

Friday, 1 February 2013

How do
you know whether someone has an appropriate level of experience in data
protection?

This
question is becoming quite important, as a variety of organisations are
currently offering various types of certification of data protection
proficiency.

But are
these certificates actually worth much? What assurance do they give that the
bearer of the certificate is any good at applying legal principles in a manner
that is acceptable to an employer or to a regulator? Which is the best one?

Given
the increased level of public interest in data protection, I expect that it
won’t be too long before the spotlight falls on the training organisations that
currently operate in the UK. Does each organisation really offer the trainee an
adequate level of knowledge, and is the certificate that is subsequently
acquired of much practical use to a British data protection officer?

Yes,
employers like people who are qualified. But qualified in what respect? If they
are not careful, employers will just rely on the publicity that is churned out
by the certification providers. But publicity about how good their own certification
is cannot really be taken as a sufficiently objective measure.

What qualifications
really are appropriate? Those issued by the British Computer Society/ISEB? PDP?
Act Now? or the IAAP?

Here, there
might be a role for National Occupational Standards. These
are standards which describe what an individual needs to do, know and
understand in order to carry out a particular job role or function.As the NOS website helpfully points out, they
are:

"National because they can be used in every part of
the UK where the functions are carried out;

Occupational because they describe the performance
required of an individual when carrying out functions in the workplace, i.e. in
their occupation (as a plumber, police officer, production engineer, etc); and

Standards because they are statements of effective
performance which have been agreed by a representative
sample of employers and other key stakeholders and approved by the UK NOS
Standards Panel.”

Trainers in the policing and law enforcement area
have recently created a standard with the snappy title of “SFJ ZA11Ensure organisational compliance
with Data Protection legislation”.

Perhaps
what we need is for more industries to create suitable standards, and then for
an independent regulator to assert whether the certificates offered by the major
training providers adequately meets these standards.

Otherwise, we might see training organizations taking
advantage of the growing fears that organizations have when they realise that
they need to get data protection right, by delivering inadequate training to
students.

If ever there were a need for regulation to protect
the public against dodgy standards, then perhaps there is a case for the data
protection training market to be more formally regulated.

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.